How does EchelonGraph detect CIS AWS 4.3 violations?

EchelonGraph automatically detects CIS AWS 4.3 violations using scanner rule AWS-NET-003. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS AWS 4.3?

Are VPC Flow Logs enabled on all VPCs? What traffic types are captured (ALL, ACCEPT, REJECT)? Where are flow logs stored and for how long? Are flow logs integrated with your SIEM?

🟠CIS AWS 4.3Rule: AWS-NET-003medium

Ensure VPC Flow Logs are enabled

Description

VPC Flow Logs must be enabled for network traffic monitoring and forensic analysis.

⚠️ Risk Impact

Without flow logs, lateral movement and data exfiltration via network traffic is invisible.

🔍 How EchelonGraph Detects This

AWS-NET-003Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as medium-severity findings with remediation guidance.

🔧 Remediation

Enable flow logs: aws ec2 create-flow-logs --resource-type VPC --resource-ids VPC_ID --traffic-type ALL --log-destination-type s3 --log-destination BUCKET_ARN

💀 Real-World Attack Scenario

An attacker established a covert data exfiltration channel using HTTPS connections to a legitimate-looking CDN domain. Without VPC Flow Logs, the 400MB/day of outbound data transfer went undetected for 4 months. Flow Logs would have shown the unusual sustained outbound traffic pattern.

💰 Cost of Non-Compliance

Breaches without network monitoring have 2.5x longer dwell time. Average additional cost: $1.8M. SOC 2 CC7.2 and PCI DSS 10.x require network monitoring capabilities.

📋 Audit Questions

1.Are VPC Flow Logs enabled on all VPCs?
2.What traffic types are captured (ALL, ACCEPT, REJECT)?
3.Where are flow logs stored and for how long?
4.Are flow logs integrated with your SIEM?

🎯 MITRE ATT&CK Mapping

T1048 — Exfiltration Over Alternative ProtocolT1071 — Application Layer Protocol

🏗️ Infrastructure as Code Fix

main.tf

resource "aws_flow_log" "vpc" {
  vpc_id               = aws_vpc.main.id
  traffic_type         = "ALL"
  log_destination      = aws_s3_bucket.flow_logs.arn
  log_destination_type = "s3"
  max_aggregation_interval = 60
}

⚡ Common Pitfalls

⛔Only capturing REJECT traffic (missing accepted malicious connections)
⛔Flow logs in CloudWatch Logs without a retention policy (expensive)
⛔Not analyzing flow logs for anomalies (collecting but not monitoring)

📈 Business Value

VPC Flow Logs enable network-level threat detection, capacity planning, and forensic investigation. They're the minimum viable network monitoring for any cloud environment.

⏱️ Effort Estimate

Manual

1 hour per VPC to enable and configure flow logs

With EchelonGraph

EchelonGraph verifies flow log configuration across all VPCs and accounts

🔗 Cross-Framework References

SOC2-CC7.2ISO27001-A.12.4.1

Automate CIS AWS 4.3 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →